{
	"id": "64a73102-64ee-4933-83b3-f059dae6b94a",
	"created_at": "2026-04-06T00:07:53.66366Z",
	"updated_at": "2026-04-10T03:22:03.8896Z",
	"deleted_at": null,
	"sha1_hash": "95f64ade99a6e02568a135649c5b4a4c35295325",
	"title": "An End to “Smash-and-Grab” and a Move to More Targeted Approaches",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53931,
	"plain_text": "An End to “Smash-and-Grab” and a Move to More Targeted\r\nApproaches\r\nBy kozy\r\nArchived: 2026-04-05 18:14:01 UTC\r\nIn late October and early November, 2017, CrowdStrike® Falcon Intelligence™ observed People’s Republic of\r\nChina (PRC)-based actors conducting espionage-driven targeted attacks against at least four Western think tanks\r\nand an additional two non-governmental organizations (NGOs). This marks a significant increase in China-based\r\nactivity from months prior, as the majority of observed activity in Q3 was predominantly focused on Southeast\r\nand East Asia. The previous “smash-and-grab” type of cyber operations, which typically characterized a majority\r\nof pre-2016 PRC espionage cases, appear to have ceased in favor of much more targeted intrusions focused on\r\nspecific outcomes. Previous operations targeting think tanks resembled the digital equivalents of so-called smash-and-grab robberies: the attackers indiscriminately exfiltrated data, vacuuming up whatever information was\r\navailable. However, in these most recent incidents, threat actors specifically targeted the communications of\r\nforeign personnel involved in Chinese economic policy research and the Chinese economy, as well as users with\r\nnoted expertise in defense, international finance, U.S.-Sino relations, cyber governance, and democratic elections.\r\nThe majority of these intrusions leveraged the China Chopper webshell and/or credential harvesting tools\r\ntargeting the Microsoft Active Directory infrastructure such as Mimikatz to compromise credentials for lateral\r\nmovement in victim networks. Typically, the adversary also retrieved second-stage tools from an external staging\r\nserver. Actors often searched for very specific strings, such as “china”, “cyber”, “japan”, “korea”, “chinese” and\r\n“eager lion” — the latter is likely a reference to a multinational annual military exercise held in Jordan. In at least\r\ntwo cases, adversaries were observed conducting email directory dumps for a full listing of departments within the\r\nvictim organizations. Not only does this tactic help refine a list of targeted personnel within the organization, but\r\naccess to a legitimate email server can provide a platform for conducting future spear-phishing operations. Nearly\r\nall the affected organizations likely maintain close ties to Western government officials. This makes them an\r\nattractive target for mounting further attacks against government-supporting sectors, since the intruders can\r\nmasquerade as trusted sources when sending spear-phishing emails.\r\nPANDA vs. Falcon\r\nAn interesting case study was observed by both CrowdStrike Services and the Falcon OverWatch™ managed\r\nhunting team in late October 2017, when a China-based adversary attempted to compromise the web server of a\r\nthink tank. The specific target appeared to be related to an ongoing military research project. As with many of the\r\ncurrently observed Chinese targeted intrusions, the adversary attempted to use China Chopper for reconnaissance\r\nand lateral movement after logging in via an account compromised by spear phishing. As is prevalent among\r\nCrowdStrike customers, webshell blocking was enabled in the Falcon endpoint protection platform, which\r\nprevented the actor from using the webshell to run any commands. The operator attempted to access the server\r\nusing the China Chopper shell for four days in a row, showing particular dedication to targeting this endpoint. The\r\nactor attempted several whoami requests during normal Beijing business hours. On the fourth day, after repeated\r\nhttps://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/\r\nPage 1 of 2\n\nfailures, subsequent access attempts occurred at 11 p.m. Beijing time. This after-hours attempt was likely\r\nconducted by a different operator, or possibly someone called in to troubleshoot the webshell. After a quick series\r\nof tests, the activity ceased and no attempts were made over the weekend. Except for the 11 p.m. login, the\r\nobserved activity suggests that the adversary is a professional outfit with normal operating hours and assigned\r\ntasks. On the following Monday, the actors returned, logging into the same user account and attempting a different\r\nshell, however, this attempt was also quickly staunched by CrowdStrike Services. After being forced out again, the\r\nactor appeared to switch tactics and returned via the same account to conduct a SQL injection on the web server.\r\nWhen the attempt failed yet again, the user signed out and a separate host began conducting a low-volume DDoS\r\nattack on the think tank’s website. This case is notable for several reasons. First, the adversary showed a high\r\ndegree of persistence and dedication to compromising the target, over the course of a week. Also, they used a\r\ndifferent shell, failed, and then attempted to conduct a SQL attack on the server. While this may not be unusual on\r\nits own, the short timeline in which it was carried out shows the adversary’s skill at adaptation. The multiple\r\nattempts to gain access also highlight the likely importance of the project and/or reveal that the adversary was\r\nunder specific time constraints. The final step of conducting a DDoS attack on the think tank’s site was unusual\r\nwhen viewed in the context of an espionage operation. The purpose of the attack is unclear, as it did not appear to\r\nbenefit the espionage objective. Given the timing and subsequent failures at gaining access to what is presumably\r\na high-value target, this DDoS attack could have been done out of frustration. This is believed to be the first time\r\nCrowdStrike has observed a China-based adversary engaging in a disruptive attack against what was previously\r\n(and likely, still is) an espionage target as a follow-on to normal espionage activities.\r\nOutlook\r\nChina’s renewed interest in targeting Western think tanks and NGOs is hardly surprising given President XI\r\nJinping’s call to improve China’s think tanks, a response to myriad new strategic problems facing China as it seeks\r\ngreater influence as a global player. The targeting of these six organizations may signal a more widespread and\r\nactive campaign to collect sensitive material and enable future operations. Individuals and enterprises that\r\nmaintain relationships with Western think tanks and NGOs are advised to take appropriate precautions — system\r\nsecurity review, additional user awareness training, and ensuring comprehensive endpoint visibility are critical to\r\nidentifying and preventing threats from advanced adversaries. The increase in operational tempo by Chinese\r\nassociated intrusion actors that was observed during 2017 is covered in more detail in the upcoming CrowdStrike\r\nGlobal Threat Report 2017. For more information on CrowdStrike's threat intelligence services, please visit\r\n/content/crowdstrike-www/locale-sites/us/en-us/products/threat-intelligence/falcon-intelligence-automated-intelligence/.\r\nSource: https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/\r\nhttps://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/"
	],
	"report_names": [
		"an-end-to-smash-and-grab-more-targeted-approaches"
	],
	"threat_actors": [],
	"ts_created_at": 1775434073,
	"ts_updated_at": 1775791323,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/95f64ade99a6e02568a135649c5b4a4c35295325.pdf",
		"text": "https://archive.orkl.eu/95f64ade99a6e02568a135649c5b4a4c35295325.txt",
		"img": "https://archive.orkl.eu/95f64ade99a6e02568a135649c5b4a4c35295325.jpg"
	}
}